Data breach notifications have been flagged as one of the pressing issues to be tackled under a multinational joint action plan outlined by the attorneys general of the US, UK, Canada, New Zealand and Australia last week.
Australia is falling far behind with its progress on holding organisations accountable for breaches, with every other country either having implemented or close to implementing mandatory notifications.
The US has already implemented laws that require organisations to notify the US Federal Trade Commission within 60 days if personal information is compromised during a security breach, as well as all US individuals involved. Further, the laws specify that individuals must be notified of what information specifically has been compromised. Failure to do so renders the organisation liable for US$11,000 per person, which peaks at a maximum of US$5 million.
Internet and telecommunications service providers in the UK are also already required to disclose when they have experienced a breach. However, the EU commissioner said last month that she wanted to extend this to all businesses. The UK Information Commissioner's Office is able to impose penalties of up to £500,000 to organisations that breach its Data Protection Principles.
New Zealand doesn't have any breach notification laws; however, its Law Commission is currently discussing the issue in its four-stage privacy review, which began in 2006. Discussion and consultation on the final stage has concluded, and the Law Commission is expected to provide a report shortly.
Canada has a Bill that is proceeding through parliament that will require businesses to disclose data breaches if they may result in a "real risk of significant harm". Until this is passed, its Federal Privacy Commissioner has issued guidelines for organisations to follow in the event of a breach, but these are voluntary.
Australia currently doesn't have any legislation to force companies to disclose breaches, even though it was recommended as part of the Law Commission's report on privacy, released in 2008.
The government has had to split its response to the report into two stages to cover the 295 recommendations made and only discusses data breach notifications in the second stage. The second stage of the government's response won't begin until the first stage has been completed. The Department of the Prime Minister and Cabinet's website currently has no schedule for when this might occur.
Even though data breaches have received attention over the past year after companies such as Vodafone, Telstra and Gawker Media have experienced data breaches, experts believe that those we know about might only be the icing on the cake.
The attorneys general also said that they would look to have internet service providers develop codes of practice to stem malware similar to Australia's iCode, which has already attracted US interest.